Re: Crypto signing of packages

To: Manoj Srivastava <srivasta@datasync.com>
Cc: debian-devel@lists.debian.org
Subject: Re: Crypto signing of packages
From: Jim Pick <jim@jimpick.com>
Date: 24 Oct 1997 13:57:08 -0700
Message-id: <[🔎] 87sotqyj4r.fsf@fleming.jimpick.com>
In-reply-to: Manoj Srivastava's message of "24 Oct 1997 14:27:07 -0500"
References: <[🔎] 87en5b6jxw.fsf@tiamat.datasync.com>

> * Three or four Project master keys held by separate people,
> maintainers' working keys must be signed by some n-out-of-m of them.
> 
> * Revoke Project master keys by n-out-of-m of them; this way we can
> gradually leave bad old keys behind.

I don't think we need project master keys.  What's wrong with just
having a maintainer for a keyring, and distributing that.  It could
be signed by the keyring maintainer (Igor) and distributed widely.
Then the only way it could be compromised is if Igor's private
key and PGP passphrase were stolen.  Even in the case of 
that unlikely event, we should still be able to regain control of
the keyring.

Cheers,

 - Jim

Attachment: pgp_p14M6V2LU.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Crypto signing of packages
  - From: Fabrizio Polacco <fpolacco@icenet.fi>

References:
- Re: Crypto signing of packages
  - From: Manoj Srivastava <srivasta@datasync.com>

Prev by Date: Re: Announcements for .debs not in distribution?
Next by Date: Re: pppd
Previous by thread: Re: Crypto signing of packages
Next by thread: Re: Crypto signing of packages
Index(es):
- Date
- Thread